ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw OneBot

v1.2.10

OneBot 11 channel plugin for QQ messaging (NapCat/go-cqhttp). Native OpenClaw integration with private/group chat, group reactions, block streaming, voice pi...

0· 709·4 current·4 all-time
byJerry@xucheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binaries (node/npm), config keys (channels.onebot.wsUrl, httpUrl), and included code implement a OneBot channel plugin as claimed. The codebase and scripts are consistent with the stated features (WS/HTTP, media/voice pipeline, reactions, shared-dir). Small note: the plugin includes a helper that patches the OpenClaw CLI/dist files to add shared-dir flags — related to the plugin's purpose but intrusive (see persistence_privilege).
Instruction Scope
SKILL.md and scripts clearly instruct building, installing into ~/.openclaw/plugins/onebot, reading openclaw.json and optional env vars (ONEBOT_WS_URL, ONEBOT_HTTP_URL, ONEBOT_ACCESS_TOKEN). Runtime code reads only the expected config and environment fallbacks. No instructions to exfiltrate unrelated files or call arbitrary external endpoints outside OneBot/NapCat.
Install Mechanism
There is no registry install spec (instruction-only), but repository includes an install.sh and prepare/pack scripts. The installer prepares a trimmed release payload and copies it to the OpenClaw plugin directory, then runs npm install in that plugin directory (skipping dev/peer/audit). No remote downloads or obscure URLs; dependencies are standard (runtime dependency is 'ws'). package-lock contains many dev entries but runtime deps are minimal. The installer runs npm ci in the source repo (to build the release) — normal for local build but it executes code on the machine.
Credentials
The plugin does not request unrelated secrets. It uses OneBot-specific config keys and optional env vars (ONEBOT_WS_URL/HTTP/ACCESS_TOKEN) appropriate for connecting to NapCat/go-cqhttp. It reads ~/.openclaw/openclaw.json by default which is expected for OpenClaw plugins. No broad credential requests present.
!
Persistence & Privilege
The install process and provided script(s) modify other installed OpenClaw files: scripts/sync-openclaw-cli.mjs directly patches JavaScript and type definition files under OPENCLAW_HOME/lib/node_modules/openclaw/dist to add shared-dir/container-shared-dir flags. The install.sh attempts to run that sync script automatically. Modifying another package's dist files is intrusive and raises risk (can change CLI behavior or introduce bugs). The plugin will be copied into ~/.openclaw/plugins/onebot (expected), but the cross-package patching is a privileged operation and should be reviewed before running.
What to consider before installing
What is good: The code, README and SKILL.md align with a OneBot/NapCat channel plugin: it needs node/npm, reads channels.onebot.* config and optional ONEBOT_* env vars, supports media/voice and reactions, and bundles a small runtime dep (ws). What to watch for and do before installing: 1) Review scripts/sync-openclaw-cli.mjs and scripts/install.sh — they patch files under your OpenClaw installation (OPENCLAW_HOME or ~/.openclaw) to add shared-dir flags. That means the installer will modify other installed package files; inspect the exact string replacements and back up your OpenClaw installation before running. 2) Prefer running the install in an isolated environment (test machine or container) first so you can verify behavior and any patches. 3) The install process runs npm ci/build locally — ensure you trust the source repository contents (or prepare the release payload in a controlled build). 4) If you want to minimize host changes, you can run prepare:clawhub:plugin, inspect .clawhub-plugin/openclaw-onebot-plugin, then manually copy only the prepared runtime artifacts to your plugin directory rather than running the automated install. 5) Verify openclaw.json and the plugin's config after install, and test in a staging environment. If you need higher confidence, ask for upstream provenance (link to a known GitHub release or maintainer signature) and for a short audit showing the sync script only adds CLI flags and does not inject arbitrary code.
src/gateway.ts:31
Environment variable access combined with network send.
src/outbound.ts:29
Environment variable access combined with network send.
test/channel.test.ts:8
Environment variable access combined with network send.
!
src/gateway.ts:3
File read combined with network send (possible exfiltration).
!
test/outbound.test.ts:1
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9752v0xyw8fhcxv39q1fp7y6s84pxcs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐧 Clawdis
Binsnode, npm
Configchannels.onebot.wsUrl, channels.onebot.httpUrl

Comments